Pan-European research shows 226m personal records breached over the last decade

News by Steve Gold

Data breaches - a serious problem over the last decade...

Research just published claims to show that data breaches are more likely to occur due to the mistakes of employees and/or rogue employees, rather than external hackers within organisations.

According to the report - which was compiled by the Central European University's Centre for Media, Data and Society (CMDS) and is billed as the largest ever of its kind - the personal data of millions of Europeans have been compromised with 89 percent of the breaches being the fault of corporations, rather than governments or public service agencies.

Delving into the report - entitled `Data Breaches in Europe: Reported Breaches of Compromised Personal Records in Europe, 2005-2014' - reveals that 24 percent of the Europe-specific breaches were the result of breach attacks launched from the UK, and for every 100 people living in the UK, 200 personal records have been compromised.

The scale of the breaches that have occurred in Europe is breathtaking with 226m personal records compromised in Europe over the last decade.

Interestingly, the report suggests there are some unusual examples of data breach, where the data was lost or published in a surprising way.

"One example is from Denmark, where personal information of HIV patients was included in a PowerPoint presentation. This in itself was an accidental leak, but only for the audience at the presentation, however, later the PPT was published online. Another incident happened in the United Kingdom when a staff member of an educational institution lost their camera that held sensitive information, namely photographs of job applicants' passports," says the report.

"Another case took place before the 2011 Bulgarian elections when the Ministry of Foreign Affairs accidentally published online the names as well as the addresses of the permanent residences of Bulgarian nationals living abroad. Although the information was available online for a few hours, it made these citizens an easy and open target for theft and burglary," it adds.

Meanwhile in the UK

The good news identified in the analysis is that, whilst the UK appears to have a lot more data breaches than other countries, this is actually due to the strict legislation.

A large proportion of these data breaches, however, are a result of carelessness - either on the part of the owners or handlers of personal records - says the report, adding that most cases involve administrative errors or mismanagement, such as not wiping hard drives of old computers offered for re-sale.

According to Andrew Mason, co-founder and technical director of RandomStorm, it is interesting to see that such a comprehensive analysis of 350 breaches has found that more than half resulted from weak internal security practices, rather than external attacks.

"Indeed, the JPMorgan and RSA breaches were both attributed to employees clicking on links and opening attachments in phishing emails, which opened up the network to hackers. However, the 57 percent figure is a little misleading as data doesn't just walk out of the door on its own. Generally, vulnerabilities exist within the internal network that are then exploited by external actors," he said.

This, says Mason, is precisely why the UK government has set up initiatives such as the Cyber Essentials scheme, to combat cyber crime by helping all organisations to improve their awareness of current security best practice.

Steve Smith, managing director of security consultancy Pentura, meanwhile, said that businesses need to audit and classify the data they hold, and put relevant controls in place to minimise the risk of employees deliberately, or through careless practices, leaking that information.

"Whether intentional or not, internal breaches can be equally as damaging as external attacks and businesses must take this into consideration when developing data loss prevention strategies. Ensuring that your internal policies and controls are watertight and that employees are educated in data security is just as important as protecting your network from outside cyberattacks," he explained.

This theme was picked up by Professor John Walker, a visiting professor with Nottingham-Trent University, who said that there is a significant challenge in large organisations when to comes to protecting data.

He explained that this translates into a zero protection situation where large numbers of staff have day-to-day access to the data, but there is still a definite need to secure portable devices such as USB sticks, on which data is often squirreled away by staff.

The problem facing large organisations, says Professor Walker, who is also CTO of Cytelligence, is that once the perimeter of a large organisation is breached by unauthorised users - even by rogue employees within the company - the data is still wide open to abuse.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews